Dec-2020

Process safety time for fired heaters

Cases illustrate the actions needed to avoid hazards occurring when the supply to a fired heater is disturbed.

CHRIS STEVES, RICHARD TODD, JAMES NORTON and JERRY ZHANG
Norton Engineering Consultants

Article Summary

The fired heater is a common unit operation in the refining and petrochemical industries that is used to increase the temperature of a process fluid. Fired heaters are required when a process-to-process heat exchanger or a utility exchanger (steam condenser, hot oil heater) cannot provide sufficient driving force to raise the temperature of a process fluid for downstream processing. There are numerous applications for fired heaters, from preheating feed to process units to reboiling distillation towers.

During the course of normal operation a fired heater will be exposed to disturbances in the supply of fuel, combustion air, or process fluid that may lead to a potentially hazardous condition developing. To manage these disturbances and take appropriate action to safely operate and control the fired heater, several layers of protective systems are normally provided.¹ These protective systems are designed to take independent action that will prevent the fired heater from reaching a hazardous condition. Protective actions can include:
- Operator intervention based on alarms or other indication of a process upset; typically this intervention can only be effective for slow responding systems that have extended times to reach a hazardous condition
- The basic process control system (BPCS), typically a DCS, which automatically responds to process conditions to maintain stable and safe operation
- A fault-tolerant PLC is also commonly used on fired heaters. The independence of the PLC system allows actions to be taken in cases where components of the BPCS are not functioning correctly. These safety instrumented systems (SIS) are critical components in maintaining the safe operation of the fired heater

The combination of protective systems on a fired heater ensures that the unit can be safely started up and operated within its safe operating limits (SOLs). The design of these systems can vary depending on the process fluids passing through the heater, the specific safety concerns that are present due to these services, and the configuration of the heater, along with any design standards or guidelines that are applied by the owner. For the protective systems to be effective in protecting the fired heater and preventing a catastrophic failure, the process safety time for various hazardous events must be calculated and used to ensure the systems offer adequate protection.

Process safety time is defined as the time period between a failure occurring in the process or its control system and the occurrence of the hazardous event.2 Process safety times are functions of equipment design and operating parameters, and can be estimated for various failures and resulting hazardous events based on modelling of system dynamics. Estimates of process safety time do not take into account any mitigating action that would be performed to protect the heater. Figure 1 illustrates a fired heater response to an initiating event and the resulting process safety time. Several commonly used terms for process safety time analysis are also shown in the figure.

Process safety times should be defined and calculated for different initiating events, usually based on input from a multi-functional team participating in a process hazard analysis (PHA) or HazOp study. As the PHA team reviews potential hazards associated with process equipment and the different modes of operation (start-up, shutdown, normal operation, operational upset, and so on), the severity of the potential consequence and likelihood of occurrence will then be used to define which type of mitigating action should be taken to prevent the negative consequence from occurring (for instance, is an automated safety system required or can manual operator response be utilised). An understanding of the process safety time is critical in deciding on the best hazard mitigation strategy.

In order to evaluate and determine the process safety time for a particular scenario, several simplifying, conservative assumptions about operation prior to the initiating event must be made. Critical review by the multi-disciplined PHA team, including subject matter experts, to verify these assumptions is good practice to improve the efficacy of the process safety time estimation process. For example, it is common to assume that a fired heater is operating at design fired duty prior to any ‘initiating’ event, but if the unit is often operated at firing rates above design then this should be considered when developing the conditions to be used to initiate the static and/or dynamic simulations of the event necessary to determine the process safety time.

Some initiating causes and their resulting hazardous events that may need to be considered and evaluated for a fired heater include:
- Loss of process flow to one or more passes, causing the tubes to overheat and rupture
- Gas burner fuel block valves open before light-off, or a flameout at the burners occurs due to a disturbance in the fuel supply during normal operation, causing an accumulation of unburned fuel in the firebox which can lead to an explosion
- Damper closed in a natural draft heater, causing an accumulation of unburned fuel in the firebox which can lead to an explosion
- Loss of combustion air from a forced draft fan, causing an accumulation of unburned fuel in the firebox which can lead to an explosion

After all process safety times for a particular piece of equipment like a fired heater have been determined, the SIS can be designed to ensure that it will successfully keep the hazardous event (the consequence) from occurring after the initiating event (the cause) has started. The SIS will usually incorporate multiple safety instrumented functions (SIF), each of which may be considered as an independent protection layer (IPL) for mitigating the hazard and usually evaluated as part of a PHA and layer of protection analysis (LOPA).

The total response time for the SIF is composed of the detection time (based on instrumentation used to detect the initiating event), any process delay built into the SIF to filter out spurious instrument or process issues, the time for the SIF to complete its action (logic controller time and valve closure time), and any process lag present in the system after the SIF has completed its action. An example of a SIF to close the fuel shut-off valve upon a loss of process flow to the heat transfer coil is shown in Figure 2.

In order for the SIF to be successful in preventing the hazardous event from occurring, the total response time for the SIF must be less than the process safety time. In many cases, owners will choose to incorporate some conservatism into the design of the SIF, and many will specify that the total response time must be less than one half of the process safety time.²